[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: I-D ACTION:draft-savola-v6ops-6to4-security-01.txt
First, let's say that I found the revised draft much more complete than
the previous one. The analysis of the attacks is much more thorough. It
starts providing an actual "is this really worse" study; I wish we could
make that systematic, with the following comparison:
1) Is the situation worse than a current IPv4 Internet, in which
spoofing source addresses is relatively easy? For example, in the
current Internet, an IPv4 source can attack an IPv4 destination; attacks
in which an IPv6 source can attack an IPv4 destination or vice versa are
basically in the category as "same as IPv4."
2) Is the situation worse than an hypothetical IPv4 Internet, in which
ingress filtering would be implemented and spoofing source addresses
would be hard? As noted in the draft, the only attack that is actually
worse in that hypothesis is " relay spoofing".
3) Is the situation worse than an ideal IPv6 Internet, which would not
inherit anything from the current IPv4 Internet, and would implement
strict ingress filtering for all IPv6 addresses. The answer is probably
yes in many cases, since spoofing IPv4 addresses allows sending spoofed
packets through a relay.
The question is then, where do we place the bar. If we consider option
1, then we mostly have to do good housekeeping, mostly implementing the
filtering requirements outlined in the draft.
If we consider option 2, we have to find a solution to the "relay
spoofing" attack. The previous drafts suggested using the anycast
address as a source address; the new draft is much more moderate, and
outlines the many issues with that solution; frankly, I don't believe we
should combat source address spoofing by requiring relays to spoof a
source address. Since the attack is only efficient when the destination
is targeted with a large amount of traffic, a combination of sampling
and ITRACE would probably work. In the hypothesis that Alain mentions,
where a single zombie deflects traffic through multiple reflectors,
sending a sampling of "6to4-ITRACE" messages to the IPv6 source would
give out the zombie address very quickly.
In practice, I believe we should not be too concerned with option 3. We
have to acknowledge that opening relays implies that IPv6 will have by
and large the same "qualities" as IPv4. At least during the transition
phase, most IPv6 hosts will be dual-homed, which means they will benefit
from IPv4 qualities anyhow.
-- Christian Huitema